A brief summary about an update to the Black Hole Exploit Pack (version 2.0.1) was published last week on Russian “underground” forums in which the author announced the addition of a new Java exploit to the pack, CVE-2012-5067. This exploit runs on Java up to version 1.7.0.9. Three days later, an analysis of vulnerability CVE-2012-5076 was published on Microsoft’s forum.

As soon as our lab got a working version of exploit pack and analyzed its modules, it was discovered that the exploit pack exploited the CVE-2012-5076 vulnerability, not CVE-2012-5067 as mentioned in the article.

The analyzed exploit pack consisted of four modules which exploits vulnerabilities in Adobe Acrobat, Adobe Reader and Java. It was supposed to use exploits for Flash Player version 10.0.40 and higher, 10.2 up to 159th update, 10.3 up to 181st update but the exploit modules were absent..

After the exploit pack analysis, it was observed that the "PluginDetect" plugin is still used but was updated to version 0.7.9.

  "PluginDetect" plugin version

  HTTP requests to Black Hole Exploit Pack modules and executable file download

The function that encrypts the links is simple enough and is applied to separate fragments of the link:

Link obfuscation function

After decryption the link looks as follows:

Exploiting vulnerability in Adobe PDF

The exploit pack uses standard exploits available in earlier versions of Black Hole. One of the exploits presented in the pack uses the CVE-2010-0188 vulnerability we discussed in the previous article.

Another exploit contained in the kit is designed for older versions of Adobe Acrobat and Adobe Reader. A malicious PDF file contains obfuscated, malicious Java Script. Once this script is executed, a chain of vulnerabilities are exploited:  

Malicious Java Script in the PDF file  

Versions 6, 7 and 8 of Adobe Reader and Acrobat and versions 7.1, 7.11, 8.12, 8.13, 8.17, 9, 9.1 and 9.2 of the "EScript" plugin are vulnerable.

The exploit takes advantage of vulnerabilities when processing the Doc.media.newPlayer() (CVE-2009-4324) method, calling the following functions: Collab.collectEmailInfo() (CVE-2007-5659) and Collab.GetIcon() (CVE-2009-0927).

Once the exploits are executed, a file is downloaded as shown below:

http://<attacker_server_domain_name>/links/892fh9u23bfubjasvnaufhasu.php?bzfp=1m:1o:30:33:1n&ahrlbx=1n:2w:1o:32:1h:33:1l:1f:1f:32&jekgogl=1h&jddcjz=lguuk&qtstewt=mecghdoh

Exploiting vulnerabilities in Java

Black Hole contains links to download two Java exploits:

     First of them is Java applet that uses vulnerability  CVE-2012-1723  (http://www.lavasoft.com/mylavasoft/securitycenter/whitepapers/blackhole-exploit-pack-analysis) .

The malicious applet «spn2.jar» (md5: ad6c9c4c4a0dbc37b6bab59977a3c63d) is a modified version of the old exploit:

Detecting the “spn2.jar” applet

The malicious applet exploits the vulnerability in Java version 1.6 up to the 33^rd update.

    Another exploit is brand new for the exploit pack. The «spn.jar» (md5: ad6c9c4c4a0dbc37b6bab59977a3c63d) applet is only executed on Java version 1.7 up to the 9^th update. At the time of writing, the applet was not detected by a majority of antivirus products.

Detecting the “spn.jar” applet

The applet exploits the vulnerability in Java Runtime Environment (JRE) (CVE-2012-5076). Find a detailed description of the vulnerability here.

«spn.jar» malicious applet code

 Being successfully executed, a byte array is downloaded from the malicious page in the user’s browser. It is then decrypted and downloaded using the decrypted file link. The binary file is saved to the current user’s temporary folder with a random name. The downloaded file is then run for execution by the malware. At the time of writing, the exploit downloaded the following malicious file «Backdoor.Win32.Pushdo» (md5: 585256db9b31ce7a63455210b69e5ff2).

Recently, makers of popular exploit packs have paid a lot of attention to searching for new vulnerabilities on Java Runtime Environment (JRE). Most PCs have JRE installed so if a vulnerability is found, infection via Java exploits have a high chance of success -  it makes sense for attackers to study the weak points of Java. Also, the rate at which Java vulnerabilities are found makes it very difficult for vendors to develop, test and publish patches for Java products in time. One option is to disable Java within the web browser but this can have a dramatic impact when surfing the web. It is recommended to update Java to the latest version, as well as to keep your antivirus program up-to-date and enabled.